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Abstract 

This paper describes a new protocol for authentication 
in ad-hoc networks. The protocol has been designed to 
meet specialized requirements of ad-hoc networks, such as 
lack of direct communication between nodes or require- 
ments for revocable anonymity. At the same time, a ad- 
hoc authentication protocol must be resistant to spoofing, 
eavesdropping and playback, and man-in-the-middle at- 
tacks. The article analyzes existing authentication methods 
based on the Public Key Infrastructure, and finds that they 
have several drawbacks in ad-hoc networks. Therefore, a 
new authentication protocol, basing on established crypto- 
graphic primitives (Merkle's puzzles and zero-knowledge 
proofs) is proposed. The protocol is studied for a model ad- 
hoc chat application that provides private conversations. 

1 Introduction 

Authentication services are required by many applications 
of ad hoc networks, both mobile (MANETs) or wired, like 
peer-to-peer. As an example, consider chats, games, or data 
sharing in a ad-hoc network, or in a MANET. As more 
practical applications of MANETS will be developed, the 
need for authentication services will grow. In addition, 
many forms of secure routing in MANTETs or general ad- 
hoc networks cannot operate without a form of authentica- 
tion. 

At the same time, ad-hoc networks and their appli- 
cations are more vulnerable to a number of well-known 
threats, such as identity theft (spoofing), violation of pri- 
vacy, and the man-in-the-middle attack. All these threats 
are difficult to counter in an environment where member- 
ship and network structure are dynamic and the presence of 
central directories cannot be assumed. 

Applications of ad-hoc networks can have anonymi- 
ty requirements that cannot be easily reconciled with some 
forms of authentication known today. On the other hand, 
service providers that are bound by legal regulations have 
to be able to trace the actions of user of a MANET. Find- 
ing a reasonable trade-off between these two requirements 
is rather hard. In this paper, we use the term revocable 
anonymity for a system in which a user cannot be identi- 



fied to the outside world, but a trusted authority is provided 
with the possibiUty to identity actions performed by each 
user. 

These considerations lead to the conclusion that mo- 
bile ad hoc networks can benefit from new, specialized 
methods of authentication. In this article, we combine 
two cryptographic techniques - Merkle's puzzles and zero- 
knowledge proofs - to develop a protocol for authenti- 
cation in ad-hoc networks. This protocol is resistant to 
man-in-the-middle and eavesdropping attacks and prevents 
identity theft. However, the protocol allows for revocable 
anonymity of users and is adapted to the dynamic and de- 
centralized nature of these networks. Finally, our protocol 
works with any MANET routing protocol and does not as- 
sume any properties of MANET routing. 

We study the protocol for a model chat application in 
an ad-hoc network that needs to authenticate users to con- 
tinue concurrent private conversations. Users of the chat 
prefer to remain anonymous, but they must have identities 
for the duration of the conversation. However, the applica- 
tions of an authentication protocol in ad-hoc networks can 
be wide, and our authentication protocol can be adapted to 
many other applications. In this paper, we aim to demon- 
strate the principle that lies behind the new authentication 
method, to compare the new method to existing techniques 
and to analyze its security and performance. 



Organization of paper. In the next section, we consider 
how existing techniques such as Public Key Infrastructure 
or their modifications can be used for authentication in 
MANET applications. We present a simple case study of 
a chat application. We demonstrate how the use of PKI 
is difficult if users have no previous knowledge of the re- 
ceiver of messages. Other disadvantages of PKI are the 
lack of global availability and the lack of anonymity. In 
section irm we present and explain the cryptographic prim- 
itives used in our protocol. Section l4!2l m'esents the proto- 
col, and concludes with an analysis of the protocol's se- 
curity and efficiency. Section [S] concludes and discusses 
further work. 



2 Related work 

General security architectures for MANETs almost exclu- 
sively use public key cryptography (PKI or the Web of 
trust) ||6]|9]|2l. These systems provide authentication with- 
out anonymity, and will be discussed in more details below. 

Most systems that provide anonymity are not inter- 
ested in allowing to trace the user under any circum- 
stances. Chaum mixing networks, proxy servers, have not 
been designed to provide accountability. For mobile ad 
hoc networks, approaches exists that provide unconditional 
anonymity, again without any accountability |4|. 

A Chaum mixing network, mentioned earlier, is a col- 
lection of special hosts (mixing nodes) that route user mes- 
sages. Each node simply forwards an incoming messages 
to other nodes in the mixing network. The path (sequence 
of nodes) is chosen by the sender, and the message is put 
into envelopes (based on PKI infrastructure), one for each 
node on the path. 

An area that requires both anonymity and account- 
ability is agent systems ( [16 1). Most of the security archi- 
tectures for those systems do not provide any anonymity, 
e.g., 0, EOl. 

However there exists work devoted to different 
anonymity aspects e.g. itTTl . 

A different scheme that preserves anonymity is pro- 
posed in |8 1. The scheme is based on a credential system 
and offers an optional anonymity revocation. Its main idea 
is based on oblivious protocols, encryption circuits and the 
RSA assumption. 



3 Authentication in MANET applications 

In this section, we discuss a model chat application in a 
MANET that will be used to guide our discussion of au- 
thentication. However, the conclusions of the discussion 
apply to any MANET application that requires authentica- 
tion. 
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Figure 1 . Chat of users in a MANET 



may continue concurrently to the sending of messages to 
all users by either Pi or Pu. 

Consider now that the application wishes to authen- 
ticate the private message senders. For example, after re- 
ceiving the first SPRIV message, the application creates 
a file that will contain all messages exchanged by the two 
users during a private conversation. Only the user that has 
sent the first SPRIV message is authorized to continue 
the conversation. In order to enforce this, some form of 
authentication is required. 

The first question is whether the user address in the 
MANET is sufficient for authentication. Is it possible for 
a malicious user, Pm, to assume the address of an inno- 
cent user, Pf? In MANETs, the possibility of successfully 
spoofing an IP address cannot be overlooked. 

Let us assume that P/ uses his own address as authen- 
tication information. The SPRIV message takes the form 
of SPRIV {receiver address, m, sender address). How- 
ever, Pm runs a DoS attack against Pj, forcing Pj to leave 
the network. After Pj has left, Pm joins the network as- 
suming the address of Pj. Next, Pm can take over the pri- 
vate conversation of Pj. 

What is needed to implement access permissions that 
allow private conversations? An authentication mechanism 
that 



3.1 Chat of users in a MANET 

Consider a chat application in a mobile ad-hoc network. 
The system makes it possible for users to execute two oper- 
ations: SALL{m) and SPRIV{u, m). The first operation 
sends a message, m to all users in the network. The second 
operation sends a private message ni to a selected user, u. 
Note that a user that executes the SALL operation needs 
not to know who receives the message. 

The described system is visualized on figure The 
SALL and SPRIV messages are routed by the network 
using the ROUTE operation (using any MANET routing 
protocol). On the figure, the SALL message is routed from 
user Pj to all other users, among them to Pjj by the nodes 
Pi and P3. After that, Pjj responds by sending a mes- 
sage SPRIV to Pj. The exchange of private messages 



• allows a user to authenticate its conversation partners 

• does not use centralized control during authentication 

• is safe against playback attack 

• is safe against eavesdropping 

• is safe against man-in-the-middle attack 

• provides controlled anonymity 

3.2 Case Study: PKI 

Before we present a new method of authentication, let us 
first describe and analyze available means of providing au- 
thentication in MANETs. The most well known (and most 
frequently used) method is authentication using public key 



cryptography and Public Key Infrastructure (PKI) certifi- 
cates. If such a method is used in a MANET, all users must 
obtain a PKI certificate from a certificate authority (CA) 
in order to access certain system functions (perhaps some 
functions may be available without access control). 

An alternative would be to use a trusted source of au- 
thentication information that is part of the MANET: a boot- 
strap server. This element (we shall refer to it as authenti- 
cating bootstrap, AB) issues certificates to users that join 
the system. A drawback of this approach is that the identity 
of users is not externally verified. A similar approach is to 
allow all users to issue certificates like in the PGP "Web of 
trust" model. In |21 1, this approach has been chosen along 
with the use of SPKI; however, this work does not signifi- 
cantly differ from the approach described in this case study. 

Let us consider, how the described authentication 
methods could be used to solve the problem posed above: 
implementing access permissions for a chat with private 
conversations in a MANET. A proposed solution is shown 
on fig. 12 
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Pj has a certificate, C, that contains its public key and 
a signature, SIG. The certificate and the SPRIV message 
are routed through the MANET (the message contains a 
nonce to avoid playback attacks). For simplicity, let us as- 
sume that there is a single, malicious user on the path from 
Pi to Pjj. When Pu receives the message, he can verify 
the validity of the signature and accept the public key of Pi 
as authentication information. In the future, Pjj will only 
display private messages from Pi if the message has been 
signed by Pi. Verification of the certificate may require 
communication with CA or AB, if Pjj does not know the 
public key of the CA or AB. 

However, note that the presented scenario is inse- 
cure. Pm is capable of a man-in-the-middle attack that 
exchanges the certificate, C, with a certificate of Pm, C, 
and the address of P/ with the address of Pm- Unless the 
receiver, Pu, is capable of verifying that the certificate be- 
longs to the sender Pi, then will be able to continue 
the conversation of Pi afterwards (and Pi will not!). To 
fix this problem, the proposed protocol has to be modified 
as presented on fig. 121 The only way for Pjj to make sure 
that the certificate belongs to Pi is to communicate with Pi 



over a channel that is not controlled by Pm and receive a 
proof that Pi has a private key that matches the public key 
in the certificate. 

After the private conversation has been accepted by 
Pu, Pi may wish to send messages using another SPRIV 
operation. For the second time, authentication can be sim- 
pler. Pi and Pjj now know the public keys of each other 
This information, or a secret value associated with the con- 
versation during initiation, is enough to establish an en- 
crypted channel between Pi and Pu and to authenticate 
Pi- 

3.3 Disadvantages of using PKI for authen- 
tication in MANETs 

However, the proposed solution has several drawbacks: 

1. It requires direct communication with P/. This may 
not be possible if P/ is outside the radio range of Pu- 

2. The certificate must contain the address of P/ (or the 
system must include a directory where this address 
may be found). This requires updates whenever P/ 
changes its address. 

3. Communication with the CA or AB must occur dur- 
ing every transaction, if Pu does know the public key 
of CA or AB. 

4. It requires a 3-way exchange of information. 

5. If PKI certificates are used, the users cannot be 
anonymous. 

6. Note that we do not consider how to provide message 
integrity during communication from P/ to Pu. We 
focus solely on authentication. 

As pointed out in 1 10|, the use of PKI for authen- 
tication has other drawbacks. The use of PKI is diffi- 
cult because of the necessity of verifying legal identities 
of all participants. This is a difficult task, and may limit the 
participation of users from countries or geographical areas 
where the access to PKI infrastructure is limited. Other 
users may have privacy concerns, depending on the type of 
application. 

Finally, the security of PKI has been questioned due 
to its hierarchical nature. In |7|, authors observe that if a 
high-level certification authority is compromised, then the 
result is a failure of a large part of the system. For these rea- 
sons, it may be worthwhile to consider a more lightweight, 
scalable and robust authentication mechanism for MANET 
applications. 

4 Proposal 

In this paper, we describe a new protocol for authentication 
for MANET applications. The protocol allows users to se- 
curely send private messages to another user (as described 
in section 3). 



First, utilized cryptographic primitives are briefly 
introduced: the concept of zero-knowledge proofs and 
Merkle's puzzles. Then, we present the authentication pro- 
tocol. 

4.1 Cryptographic primitives 

Our scheme involves two cryptographic primitives: 
Merkle's puzzles and zero-knowledge proofs. We describe 
them shortly below. 

Merkle's puzzles Ralph Merkle introduced his concept 
of cryptographic puzzles in | ,1 8,1 . The goal of this method 
was to enable secure communication between two parties: 
A and B, over an insecure channel. The assumptions were 
that the communication channel can be eavesdropped (by 
any third party, called E). Assume that A selected an en- 
cryption function (F). F is kept by A in secret. A and B 
agree on a second encryption function, called G: 

G( plaintext, some key) = some encrypted message. 

G is publicly known. A will now create M puzzles 
(denoted as Si, < i < M) in the following fashion: 

s, = G{{K,X,,F{Xi)),R,) 

K is simply a publicly known constant term, which remains 
the same for all messages. The Xi are selected by A at 
random. The Ri are the "puzzle" part, and are also selected 
at random from the range {M • (i — 1), M- i). B must guess 
Ri. For each message, there are N possible values of Ri. 
If B tries all of them, he is bound to chance upon the right 
key. This will allow B to recover the message within the 
puzzle: the triple {K, Xi, F{Xi)). B will know that he has 
correctly decoded the message because the constant part, 
K, provides enough redundancy to insure that all messages 
are not equally likely. Without this provision, B would have 
no way of knowing which decoded version was correct, for 
they would all be random bit strings. Once B has decoded 
the puzzle, he can transmit Xi in the clear F{Xi) can then 
be used as the encryption key in further communications. 
B knows F{Xi) because it is in the message. A knows 
F{Xi) because A knows Xi, which B transmitted in the 
clear, and also knows F, and so can compute F{Xi). E 
cannot determine F{Xi) because E does not know F, and 
so the value of Xi tells E nothing. E's only recourse is to 
solve all the N puzzles until he encounters the 1 puzzle that 
B solved. So for B it easy to solve one chosen puzzle, but 
for E is computationally hard to solve all N puzzles. 

Zero-knowledge proofs A zero knowledge proof system 
((Wl, iTTl, iTTl, \U\, \T4\, |Tl) is a protocol that enables 
one party to prove the possession or knowledge of a "se- 
cret" to another party, without revealing anything about the 
secret, in the information theoretical sense. These proto- 
cols are also known as minimum disclosure proofs. Zero 



knowledge proofs involve two parties: the prover who pos- 
sesses a secret and wishes to convince the verifier, that he 
indeed has the secret. As mentioned before, the proof is 
conducted via an interaction between the parties. At the 
end of the protocol the verifier should be convinced only if 
the prover knows the secret. If, however, the prover does 
not know it, the verifier will be sure of it with an over- 
whelming probability. 

The zero-knowledge proof systems are ideal for con- 
structing identification schemes. A direct use of a zero- 
knowledge proof system allows unilateral authentication of 
P (Peggy) by V (Victor) and require a large number of it- 
erations, so that verifier knows with an initially assumed 
probability that prover knows the secret (or has the claimed 
identity). This can be translated into the requirement that 
the probability of false acceptance be where t is the 
number of iterations. A zero knowledge identification pro- 
tocol reveals no information about the secret held by the 
prover under some reasonable computational assumptions. 

4.2 The authentication protocol 

The proposed protocol offers an authentication method 
for the model MANET chat application. The node that 
wishes to send a private message is equipped with a zero- 
knowledge value. After the setup of a private conversation, 
this value will enable only the right node to send new pri- 
vate messages. Using the proposed protocol, the authenti- 
cation information cannot be used by a node that routes the 
message for its own purpose. A short overview is presented 
in this section and a detailed description in the next. 
The proposed protocol has three phases: 

1. initial: when a bootstrap creates necessary values for 
authentication 

2. initialization of private conversation: the first private 
message contains additional zero-knowledge values 
that will enable the sender (and no one else) to con- 
tinue the private conversation. 

3. exchange of private messages: the sender uses a zero- 
knowledge proof and Merkle's puzzles to authenticate 
itself and to safely send a private message. 

The node that initializes the private conversation is 
denoted as Pj, the receiving node as Ps and nodes that 
route the message as Pi,P2, . . ., the message as m' (first 
message) and m", m'", . . . (next messages). A is the au- 
thentication data. 

In this basic scenario we assume that routing nodes 
do not modify the data, just forward it correctly. Attacks: 
scenarios where these nodes can modify or eavesdrop in- 
formation are described in section l431 

Phase 1 - initial This proposal is not directly based on 
zero-knowledge protocols, but on an identification system 
based on a zero-knowledge proof. We choose the GQ 



scheme r ilSI I as the most convenient for our purposes. In 
this scheme, the bootstrap has a pair of RSA-Hke keys: a 
pubHc Kp and a private one kp. The bootstrap also com- 
putes public modulus N = p ■ q, where p, q are RSA-like 
primes. The following equation has to be true: 

Kpxkp = l(mod (p - 1) • - 1)). 

The pair {Kp, N) is made public. The keys can be used for 
different purposes, not only for our system. 

The bootstrap computes a set of so-called identities, 
denoted by ID, and their equivalencies, denoted by J. It 
does not matter how J is obtained if it is obvious for all par- 
ticipants how to obtain J from ID. The pairs {ID, J) are 
generated for every node that requests them. The identity 
is used to authenticate Pj during an attempt to continue the 
conversation. The bootstrap also computes a secret value 
for each ID: 

a = J-''" {mod N). 

The secret a is used by Pj to compute correct values for 
the GQ authentication scheme. Pj obtains the following 
information in the initial phase: ID (public) and a (secret). 

To preserve anonymity, node Pj should request at 
least a few different pairs {ID, a) or, if possible, obtain 
a new pair for each private conversation (key). 

Phase 2 - initialization of the private conversation The 

purpose of this phase is to associate a proper ID with the 
conversation. Different methods may be used for that pur- 
pose, depending on the security and performance require- 
ments of the system. 

Here are some possibilities: 

1 . The node Pj can simply send the ID with the message 
m in open text. In that situation, the node Pj has to 

\D,f,k \D,f,k \D,f,k 

trust all other nodes that they do not change neither 
message nor ID. 

2. The node Pj can ask the bootstrap to store an ID 
value associated with the conversation. During con- 
versation initialization, Ps contacts the bootstrap and 
obtains the proper ID. 




protocol. After creation of an ID for node Pj in the 
initial phase, the bootstrap can sign the ID with his 
private key. In this case, the ID can be sent securely 
over multiple nodes. After receiving the first message, 
Ps can check the validity of the bootstrap's signature 
and accept only a valid ID. To provide message in- 
tegrity, the bootstrap would have to sign a hash of the 
message {h{m)), as well. 




Phase 3 - exchange of private messages 

1. The node Pi creates a set of puzzles: S = 
{si, . . . , s„}. Each puzzle has a zero-knowledge chal- 
lenge. This challenge is a number computed basing on 
a random value r, r G {1, . . . , TV — 1}. It is computed 
as following: 

u = r'^'' (moAN). (1) 
Creating a set of puzzles 

Each puzzle used in the proposed scheme has a fol- 
lowing form: G{K, Xi, F{Xi), u), Ri), where K, Xi, 
Ri and F, are described in section 14.11 Each puz- 

Table 1 . Possible puzzles 

Puzzle no puzzle 
~T(J{) G{K,Xi,F{X^),u),Ri) 
2(S2) G{K,X2,F{X2),u),R2) 

n(s„) G{K,X^,F{X^),u),Rn) 

zle can contain a different u value (computed from r), 
which gives additional security. 

2. The node Pj sends the whole set of puzzles to Ps- 

f^~\k,S = {s,....,sJ k,S l<.S 
W "H^^/^ 



3. A more secure way is to use the bootstrap's keys for 
a different purpose, not only for the zero-knowledge 



3. Ps solves a chosen puzzle and chooses a random 
value b e {1, . . . , N}. Ps sends the puzzle's num- 
ber (X^) and 6 to P/. 




4. The Pj computes the next value in the GQ scheme, 
V. This values is based on the number b received from 
Ps and on the secret value <j of Pf. 

w EE r X cr^ (mod TV). (2) 

5. Pj sends v and a new message (encrypted, using in- 
formation from the puzzle). Some possible methods 
of securing the message are described below. The se- 
cured message has the form: 

L{m\F{X,)). 



V, L(F(X,),f) V, L(F(X),f) V. L(F(X,),f) 



Continuing the conversation by an unauthorized user 

Assume that one of the routing nodes (Pm) wishes to send 
a private message and impersonate Pj. Pm cannot imper- 
sonate Pj, because Pm does not have the a value to obtain 
the correct v for the authentication phase of the protocol. 
The values u, b or ID do not contain any information that 
would be useful in cheating Ps- This property is assured 
by the zero-knowledge protocol. 

The message itself is secured by methods described 
in sec 14.21 using the F{Xi) value. For any eavesdropper 
it is computationally infeasible to solve all puzzles to find 
the puzzle the with proper Xi (the one used by Ps) if the 
number of puzzles is large enough. E.g. if the function G 
would be DES, and Ri would be a key for a cipher with 
fixed 24 bits (so efficiently 32 bits long), then the number 
of computations required to solve one puzzle is about 2^^. 
Now it is easy to estimate how many puzzles should be 
created by Pj. 

Eavesdropping An eavesdropping node, Pm, can ob- 
serve all values of the zero-knowledge protocol: u, b and r. 
This knowledge does not reveal anything about the secret 
cr and since u and b are random and change in every iter- 
ation of the protocol, that does not enable Pm to interfere 
and gain any important information. Also, if the number of 
puzzles is sufficiently large, solving all puzzles is infeasi- 
ble in reasonable time and finding the puzzle that was used 
to secure the message is hard. 




6. Ps uses information extracted from the puzzle, ID, to 
obtain J and verify if v is the right value. To validate 
the response from Pj, Ps checks if 

J** X -y^^ =u(mod7V). (3) 

If the equation is satisfied, then the new message is 
accepted. 

Securing the new message The value F{Xi) is a secret 
known only to Ps and Pj. Thus, it can be used to establish 
a secure channel for the new message. This can be used to 
provide: 

1. encryption: the message could be encrypted using 
F{Xi) as a key for a symmetric cipher. 

2. integrity: the hash of the message could be encrypted 
using a symmetric cipher with key F{Xi). 



4.3 Security of proposed scheme 

In this section, we are going to discuss only the security 
of phase 3 of the protocol, since the protocol offers several 
distinct possibilities in phase 2, each one with a different 
level of security. 



Play-back attack Using our protocol, Ps chooses a ran- 
dom value b and then Pj has to compute the v value, which 
is later utilized by Ps to check if the authentication is suc- 
cessful. Therefore, previously used v, r (u) and b values 
are useless. Only Pj is able to create the proper v value for 
a random b. 

Man-in-the-middle attack The goal of this attack is to 
either change the new message or to gain some informa- 
tion about (T by one of the intermediate nodes (Pm)- A 
property of zero-knowledge proofs used in our protocol is 
that gaining any information about u, b and v values does 
not reveal anything about the a. Changing the message is 
also not possible since it is protected with the secret value 
F{Xi), known only to Pj and Pg. 

4.4 Performance analysis 

In the proposed system there are two phases when compu- 
tational overhead could be significant: 

1. computing values for the zero-knowledge protocol 
(equations: ^ |2j O. The number of computations 
needed for these equations is similar to computations 
of public key cryptography. The u value (eq.^ can be 
calculated offline. 



2. computing the set of puzzles: this also can be done by 
Pi offline. We assume that the G function would be 
DES or any other symmetric cipher, so it would be 
quite fast to compute a single puzzle. The amount of 
computations depends rather on the number of puzzles 
(M) and is similar to encrypting a message of size 
M ■ n, where n is the size of N in bits (because u < 
N). 

3. Sending the set of puzzles is the only significant com- 
munication overhead. The size of the set of puzzles 
depends on the required security level and is diffi- 
cult to estimate (without additional assumptions about 
available computational power of malicious nodes). 
Moreover, since the breaking of all puzzles should 
take more time than the transmission of the entire mes- 
sage, perhaps the size of the set of puzzles could de- 
pend on the message size (be bounded above by a frac- 
tion of the message size, for instance 1%). 

4.5 Comparison with PKI 

Let us compare our protocol using the same criticism as for 
PKI in section 4: 

1. direct communication of Pj and Ps is no longer re- 
quired 

2. a directory or method to obtain the address of P/ by 
Ps is not necessary 

3. communication with the bootstrap may be required 

during the initialization of a private conversation, de- 
pending on the chosen method of communicating the 
ID 

4. 3-way exchange of information is not required dur- 
ing conversation initialization, but only for subsequent 
messages 

5. the proposed protocol provides revocable anonymity. 
5 Conclusions 

Authentication in P2P/ad-hoc systems is surprisingly diffi- 
cult due to the fact that nodes often do not know the identity 
of each other before they communicate. In a client-server 
system, at least the identity of the server is known to the 
client. This simplifies the use of PKI for authentication. 
In a P2P/ad-hoc system, the use of PKI may require di- 
rect communication of two nodes to prevent a man-in-the- 
middle attack. This is difficult to realize in a P2P/ad-hoc 
system. 

We have developed an authentication method that 
is secured against eavesdropping, man-in-the-middle, and 
playback attacks in a P2P/ad-hoc system, but does not re- 
quire direct communication. The proposed method does 
not introduce significant computational or communication 



overheads. Also, the proposed method provides revocable 
anonymity that is not available when PKI is used. 

The proposed system of authentication with revocable 
anonymity gives quite new possibilities for security solu- 
tions in P2P/ad-hoc networks. First, it provides anonymity 
of the operating node against other nodes and any external 
users, except for the bootstrap. Additionally, the system 
makes it possible to identify a node's actions when coop- 
erating with the bootstrap. If practically implemented, the 
system can be controlled against a malicious nodes trying 
violate the rules of a MANET application. The appUca- 
tions of this control can range from games in a MANET to 
prevention of indecent or malicious messages on MANET 
chats. 

Future work The form of anonymous authentication and 
revocable anonymous authentication should perhaps de- 
pend on the particular MANET apphcation. Thus, the first 
possible extension of the results presented here is a precise 
analysis of requirements of chosen MANET applications. 
This problem will be the subject of future research. 

Another extension of the presented results is to offer 
new security services. The first natural proposition is mu- 
tual authentication of nodes, then non-repudiation of op- 
erations and finally combinations of all conmion security 
services applied to nodes and the routed messages. 
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